Article by ThreatQuotient APJC Regional Director, Anthony Stitt.
The Security Operations Center (SOC) has been at the forefront of the pandemic-induced escalation of cybersecurity threats over the past eighteen months. A 2020 study found that the average security operations team receives over 11,000 alerts per day (the number has likely increased in the meantime).
While deeply engaged in the crisis response, SOC teams simultaneously dealt with the disruption common to all former office workers. They were transitioning to remote work and learning how to continue collaborating successfully with remote colleagues.
As SOC examines the changes and challenges of the past year, it is possible to explore some of the factors that characterize modern SOC and the problems encountered in this crucial sector.
After collecting and analyzing insights from security analysts and team leaders across a wide range of industry sectors, the following key findings were collated as priorities for equipping SOCs for the future:
Cybersecurity skills shortage continues to be felt
A persistent problem: The main obstacle to fully utilizing the capabilities of a SOC is the lack of qualified personnel.
Supporting internal skills development should be a key priority for SOC leaders. This not only improves the performance of the SOC, but also encourages staff to stay with the organization for the long term. The most common term for a SOC analyst is between one and three years, but training opportunities and career development are the main factors that encourage employee retention.
There are other benefits to developing your own expertise. For example, the main “missing skill” in teams was threat hunting experience, which can be expensive to bring in from the outside. Threat hunting and intelligence monitoring are the activities most commonly outsourced by the SOC. Yet these are two areas where intimate knowledge of internal systems and infrastructure significantly improves efficiency.
Suppose analysts can learn these skills and are supported by tools that ease the burden of intelligence assimilation. In this case, it will represent a double benefit for the company: it will retain key personnel and strengthen its internal capacities in the areas that would benefit the most.
Working from home becomes the norm
The evolution of the work environment is linked to the challenge of retaining staff. Unsurprisingly, 87% of security analysts and team leaders surveyed said working from home was allowed in their organization. This may have raised questions about how to collaborate effectively, but the general success of remote working has freed analysts from the SOC.
Where before they could look for a job in an easy commute, now they can look further. This means organizations will need to work harder to attract and retain employees and give analysts greater influence over pay and working conditions.
This should lead to a greater focus on analyst workload, which is long overdue. Currently, organizations do not have a proper method to calculate analyst workload. The majority of survey respondents say their SOC doesn’t calculate it, and the second most common answer is that they use a time-per-ticket basis method. With 83% of SOCs running 24/7 and most providing this capability through internal resources, workload management is important to maintaining team wellbeing.
As the workforce embarks on the ‘big quit’, all of the above factors should ring alarm bells to warn employers that they must develop and protect their employees if they are to retain them.
Automation and data context improve efficiency and security
Automation and orchestration is another effective way to mitigate the impact of increasing workloads on the SOC, and here teams are also struggling. Automation and orchestration was only a close second to skills shortages as the most significant challenge facing SOCs.
When understaffed and understaffed, mundane, repetitive, low-value tasks should be automated as much as possible, freeing analysts to focus on higher-value activities that reduce detection and response time and are more satisfying individually. It also helps teams meet performance goals and manage the growing volume of alerts.
A few quick wins can be implemented here. For example, one respondent successfully deployed a portal integrating dozens of data sources that enabled the consolidation of information from across the enterprise. This resulted in a reduction in response times from level 0 to level 2 by 25%.
A number of respondents cited the lack of data context as a major barrier to operating an effective SOC. The SOC of the future will be increasingly data-driven, ingesting information from multiple sources inside and outside the enterprise, but data without context or relevance simply overwhelms analysts.
Supporting the SOC of the future
As SOCs look to the next phase, it is essential to focus on the people, data and technology that enable the two to work effectively together. By balancing automation to enable machine-based support where possible, along with the right tools for human analysts, SOCs can deliver improvements while keeping analysts engaged and giving them more time to develop. in key areas such as threat hunting.